[Cryptography] Applying the Mesh to do SSH really right

Howard Chu hyc at symas.com
Tue Oct 26 03:22:45 EDT 2021

Phillip Hallam-Baker wrote:
> On Sun, Oct 24, 2021 at 8:40 AM Howard Chu <hyc at symas.com <mailto:hyc at symas.com>> wrote:
>     Phillip Hallam-Baker wrote:
>     > April King started a thread on Twitter about how to use SSH in the enterprise: Why aren't people using the SSH PKI, why do people roll their own key
>     > provisioning scripts knowing these are almost certain to be disaster areas?
>     Good question. Pretty much every pain point you outline here is already solved in enterprises by LDAP.
>     Rolling any other solutions just sounds like pointless protocol proliferation.
> Since a major concern I raised was insider threat and since LDAP is a single point of trust, I fail to see how LDAP is remotely relevant.

You cannot eliminate that central point. You have to give someone authority to terminate
or disable an employee's access. Anyone who can do so can also reset their credentials.
> LDAP does not address the private key management either. All it does is provide one means of distributing certs.

That is false. It can also be used to securely distribute the private keys. Painlessly,
as demonstrated here https://twitter.com/hyc_symas/status/851170944345407488

> I have never understood what advantage LDAP was
> supposed to have over some HTTP scheme for that.

The simple fact that LDAP implementations already come with mature security models with
fine grained authorization and distributed administration makes it far more suitable than
an arbitrary scheme cooked up over HTTP.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

More information about the cryptography mailing list